ASP.NET Internals
Posted June 21, 2002
Chat Date: June 13, 2002
Chat Participants:
- Erik Olson, Program Manager
- John Perry, Program Manager
- Dmitry Robsman, Development Manager
MS_John_P
Welcome to today's ASP.NET chat on ASP.NET Internals. I will ask the hosts to introduce themselves.
Erik_MS
Hi, I'm Erik Olson, a Program Manager on the .NET Framework team.
Dmitry_MS
Hi, I am Dmitry Robsman from ASP.NET development team.
MS_John_P
And I'm John Perry, PM For Communities for ASP.Net
MS_John_P
Let's get started! Fire away with your questions for our hosts.
Erik_MS
Q: Is the difference between the security models ASP and ASP.NEt going to be fixed in IIS 6
Erik_MS
A: Could you be more explicit? What differences specifically? Thanks! (done)
Dmitry_MS
Q: How can I access Session scope from HttpHandlers/HttpModules?
Dmitry_MS
A: Please use HttpContext.Current.Session
Erik_MS
Q: A way to protect both ASP and ASPX pages under the same Forms model
Erik_MS
A: Ah, the issue there is that ASP.NET is an ISAPI extension. It only sees requests for things that are script-mapped to it.
Erik_MS
Same deal with ASP. In the .NET server release, IIS has new functionality to support this.
Dmitry_MS
Q: I want to persist an XML document throughout my application...
Erik_MS
A future release of ASP.NET will hopefully include support for that feature (done)
Dmitry_MS
A: Please use static members of your application in GLOBAL.ASAX, or Application dictionary
David_MS
Q: jagdish : I am trying include some file in ASP.NET. This file contains the common code required fro all screen. How can I do this is ASP.NET. In old ASP I used to use include directive to include the file. Please advise
David_MS
A: you can still use old style A
David_MS
A: you can still use old style ASP includes in ASP.NET. However, in most cases, it is preferable to use User Controls instead.
Erik_MS
Q: In reference to "Erik_MS: In the .NET server release, IIS has new functionality to support this." Can you explain in greater detail? I am running .NET AS and would like to check out that feature.
Erik_MS
A: It's an ISAPI server support function. You can * map things to your ISAPI and then
Dmitry_MS
Q: it complains its of the wrong type
Dmitry_MS
A: what is wrong type?
Erik_MS
call the new function to re-enter the ISAPI state machine and go to the original handler.(done)
patng_ms
Q: Is there a way to access the sessions scope of all users from a inside a module?
patng_ms
A: No. But we are looking into that in the future for Admin purpose.
Erik_MS
Q: How can I load an assembly sitting on the client's machine from a winform embedded in IE?
Erik_MS
A: If the security policy allows it, you can load it with Assembly.Load(). (done)
David_MS
Q: laputa : In our old asp pages, we are using XSL to generate HTML tags. Can we use XSL to generate server side controls in asp.net? How to create event handlers for these controls via XSL?
David_MS
A: take a look at the <asp:xsl> control. Which lets you perform XSL transforms easily from an ASP.Net page. However, note that you cannot use it to generate *server* controls, only client side HTML.
Erik_MS
Q: can I load it from the GAC sitting on the client's machine?
Erik_MS
A: It depends on the policy and the control itself. If your control is fully trusted, yes.
Erik_MS
If your control is partially trusted and the control you're calling supports partially trusted callers, yes.
Erik_MS
Otherwise, no. (done)
patng_ms
Q: MaineBytes : What is the best Enterprise Strategy for SQL State? Should there be one SQL server designated as the state server? What is the expected load from SQL State?
patng_ms
A: Use SQLServer mode, and moreover, session state data can survive a SQL server restart after you've followed instructions in KB 311029.
patng_ms
A: We are still testing cluster failover for SQL State.
Erik_MS
Q: Re: ISAPI Support Function: wow, sounds very interesting. Any URLs with more information?
Erik_MS
A: Not offhand, unfortunately. I'll see if I can dig one up. (done)
Dmitry_MS
Q: I assigned the XML object (application scope) to the control. This is when I get the error.
Dmitry_MS
A: what type of contol? (you can't assign XML to control only to a control's property)
David_MS
Q: laputa : What's the best practice to pass data from one page to another page?
David_MS
A: please see (https://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbtskPassingValuesBetweenWebFormsPages.asp)
patng_ms
Q: SQL Session State is stored in TempDB. We are getting pushback from our DBA's on this location is it possible (or advisable ) to change this?
patng_ms
A: See KB 311029. This allows you to use a persistent database instead.
Erik_MS
Q: How can I get Intellisense to work for ASP when I'm in Visual Studio. It only does it in the code behind file
Erik_MS
A: I believe VS requires code behind pages to provide that, unfortunately.(done)
Dmitry_MS
Q: yes I've assigned the XML document to a control property of XML Document type
Dmitry_MS
A: what exactly is the error?
Erik_MS
Q: Is there any support for managed HTTP handlers built in into IIS6, or it's still good ole' C++?
Erik_MS
A: It's still the ISAPI interface and managed HTTP handlers inside of ASP.NET (same thing in other words) (done)
Erik_MS
Q: Why do I need the ASPNET local machine account anyway?
Erik_MS
A: It's the default account for risk mitigation. It is a safe out of the box experience because it's an unprivileged local account.
David_MS
Q: Tyler : Is it possible to load and then cache a user control for use on subsequent pages?
Erik_MS
If you need to run with a more privileged account, you can configure the use of the System account.
David_MS
A: Please look at the LoadControl API. Also, look at the user control <%@ outputcache %> directive.
Erik_MS
It has network creds and more privileges, but carries a high risk if the web application is compromised.
Erik_MS
If I misunderstood, please try me again (done)
Dmitry_MS
Q: Will an httphandler/httpmodule always stay loaded (until the IIS application is stopped/unloaded) ?
Dmitry_MS
A: Lifetime of the module is the same as the lifetime of application instance -- one processes many requests. However there is a free list limit so it can be released on load fluctuations.
Dmitry_MS
A: Handlers are created per request, unless they are 'reusable'and their IHttpHandlerFactory support recycling
Erik_MS
Q: Where can I get comprehensive documentation on ASP.NET Runtime. any recommended books or white papers?
Erik_MS
A: There are lots of good ASP.NET books. Try www.asp.net for a list of some of the most popular.
Erik_MS
I'm not aware of any titles specifically on the Http Runtime, though. (done)
Erik_MS
Q: are you saying I can change it? But no matter what I change it too, the AC2K deployment fails. So can I get rid of it?
Erik_MS
A: Yes, set the userName attribute in <processModel> in machine.config to System to run as System.
Erik_MS
I wonder if we're talking about the same thing, though. I'm not sure why this would impact your deployment,
Erik_MS
just your running code. (done)
David_MS
Q: laputa : Thanks David, we have tons of pages generated by XSL and use a lot of javascripts. Now we are thinking of migrate our product to ASP.NET, what would be your advice to deal with these javascripts?
David_MS
A: Do you mean client or server side javascript? If client side, then you can certainly continue to use that code in ASP.NET.
Dmitry_MS
Q: DMITRY: Something like invalid type;
Dmitry_MS
A: Could be that 2 versions of System.XML.dll are loaded
patng_ms
Q: I declared some global variables in a module file in my asp.net project. Will these global variable be scalable to server farm?
patng_ms
A: No. Web servers won't share the global variables content. Each web server has its own copy.
Dmitry_MS
Q: Internal Server Errors
Dmitry_MS
A: please look at the event log
Erik_MS
Q: What is the best way to debug XSL templates in VS.NET?
Erik_MS
A: Unfortunately, we've got the wrong folks here for that. Sorry we don't have an answer! (done)
patng_ms
Q: how do I replace the built in session object? I have written an HttpModule, but the best I can get is to add a reference to my custom class in the Context.Items collection. Any other options?
patng_ms
A: With v1, you cannot. In v2.0, we are looking into making session state more pluggable. But what exactly do you try to achieve? Maybe there is still a way in v1.
Erik_MS
Q: simple question:How can an ActiveX control(using ATL) read a <PARAM> tag value?
Erik_MS
A: Unfortunately, we've got the wrong folks here for that. Sorry we don't have an answer! (done)
patng_ms
A: It's there (https://support.microsoft.com/default.aspx?scid=kb;EN-US;q311209)
Dmitry_MS
Q: ASP classic
Dmitry_MS
A: no
David_MS
Q: Tyler : David_MS: we actually are calling LoadControl(), but wanted to cache the result of this (type Control) for use on a high perf site. Any way to cache this correctly without the overhead of calling LoadControl()...thanks
David_MS
A: You cannot cache the Control object itself for reuse in future requests, because Control's are never meant to serve more than one request. However, note that LoadControl does cache the *Type* of the user control, so only the first call is expensive (c
David_MS
However, note that LoadControl does cache the *Type* of the user control, so only the first call is expensive (compilation, …).
Erik_MS
Q: How do we handle session across ASP and ASP.NET pages in the same Site?
Erik_MS
A: Unfortunately, they can't share. ASP supports in-proc state only and they run in different processes.
Erik_MS
If you need to support this, you might want to try keep state in a database and using a cookie to track it.
patng_ms
Q: wardawg : have the session do cookie and cookieless depending on the browser settings,...
Erik_MS
It's not nearly as convenient, but you'll need some external factor (e.g. cookies or a DB) to make the
Erik_MS
two systems share (done).
patng_ms
A: Looks like you try to replace the whole session state module. You have to write your own httpmodule. Sorry.
Erik_MS
Q: do we HAVE TO name the ASP.NET configuration file as web.config?
Erik_MS
A: Yes, if you want ASP.NET to read it. You can store arbitrary stuff for your app elsewhere
Erik_MS
but you'll have to consume it explicitly.(done)
Dmitry_MS
Q: JuanC HttpModule
Dmitry_MS
A: The code will be up -- the number of instances of the module class will fluctuate, if you need something across all instances please use statics
Erik_MS
Q: A feature request...it would be really cool to get access to the viewstate from an Http Module. Then I could store Session there
Erik_MS
A: I'm not sure I understand. Session state isn't predicated on viewstate. You can get to Session state from a module
Erik_MS
using the Session property on the HttpContext class. The handler in question has to
Erik_MS
implement the Session interfaces (pages do) (done)
David_MS
Q: muenchris160694 : Server sided caching seams not to work with dynamic compiled code on pages. Is there any way I can make it cachable? I guess I somehow need to make the temporary files of the compiler persistent...
David_MS
A: Not sure what type of caching you are referring to. Output caching works fine with output generated from dynamic code.
Erik_MS
Q: Isn't that a security risk? Now all the hackers have to look for only one file called web.config - which contains all the db passwords etc.
Erik_MS
A: It's definitely a best practice not to store secrets in the config file. Here are some other suggestions:
Erik_MS
Use an external file for secrets or use an ACL'd reg key (perhaps with DPAPI encryption).(done)
David_MS
Q: aleksey : Is there a way to get rid of viewstate variable in the generated html? EnableViewState="false" does not solve this problem
David_MS
A: No, you will always get a small amount of viewstate, even if you set EnableViewState="false" (this is for some internal purpose).
David_MS
A: If you *really* want to get rid of it, use a form without runat=server. But be aware that some server controls will no longer work if you do this.
patng_ms
Q: GlucoPilot: Is it possible to setup SQL Session State to use either Integrated Security or at least, NOT a connection string stored cleartext in the web.config
Erik_MS
A: I'm not sure. We actually use System.Cryptography heavily in ASP.NET without issues in this regard.
Erik_MS
Q: I've encrypted my web.config values using System.Crytography, but there seems to be a number of bugs where vectors and the key are modified by the Crypto API. Are these bugs in the Framework or in the underlying API?
Erik_MS
A: I'm not sure. We actually use System.Cryptography heavily in ASP.NET without issues in this regard.
Erik_MS
Note that encryption/decryption transforms should not be shared across threads. (done)
patng_ms
A: Yes. Just put "trusted_connection=true" in your connection string, and remove "sa" and "pwd". However, if you are using impersonation at the same time, right now there is a bug which makes it broken. But we have a QFE for it.
Erik_MS
Q: What's the best security practice for specifying a global connection string? Place it in web.config?
Erik_MS
A: If using integrated auth, that's not too bad. If it's a SQL auth string, I'd recommend putting
Erik_MS
it somewhere else (reg keys, COM+ construct strings, other external files out of the web space, etc.) (done)
patng_ms
A: And if you're not using impersonation, beware that you're connecting using the asp.net worker process account.
Dmitry_MS
Q: global variables / constants on web farm
Dmitry_MS
A: constants - replicate; variable - use database
Erik_MS
Q: Is there any quick way of encrypting a string then uuencode it?
Erik_MS
A: uuencode, no (at least not built in). Base64, yes. There's Convert.ToBase64String
Erik_MS
or a To/FromBase64Transform class in the crypto libraries. (done)
Dmitry_MS
A: in ASP you *have* to restart the process to get a new version of a DLL loaded
David_MS
A: laputa : another question: it seems that all aspx pages in one web application are compiled into one DLL. We have hundreds of pages there, if they get compiled into one gaint DLL, would that impact the performance?
David_MS
Q: This batch that you describe is deliberate, and is meant to improve performance. Have a large number of assemblies would end up using much more resource.
David_MS
Q: Note that you can configure this behavior in the section of machine.config. Look at the batch, maxBatchSize, and maxBatchGeneratedFileSize attributes.
Erik_MS
Q: How can you share authentication information between a web service and an ASP.NET web page?
Erik_MS
A: Do you mean across tiers or within a single application? Web service proxies can use all
Erik_MS
the canonical forms of HTTP authentication. To do integrated auth, set
Erik_MS
MyProxy.Credentials = CredentialCache.DefaultCredentials;
Erik_MS
To flow across tiers, you need a delegatable form of auth like Kerberos (or Basic over SSL).
Erik_MS
(done)
Erik_MS
A: Unfortunately, we haven't announced a schedule for that.
Dmitry_MS
A: if the request that generates the page also generates the image then the image has to be stored on the server between requests (unless args to image generation are small enough to fit query string)
Erik_MS
Q: Is it better to use IIS/ASP.net as the Remoting Listener or create a service listener?
Dmitry_MS
Q: Images
Dmitry_MS
A: What HTML do you generate? With <img src=...>? then there are 2 requests
Erik_MS
A: They have different characteristics. The web version uses all the features of the web
Erik_MS
server: logging, authentication, authorization, etc. The service version is long lived
Erik_MS
but requires more from your app in terms of security. In some scenarios where you're
Erik_MS
going machine to machine and using something like IPSEC to secure the link, the service
Erik_MS
approach might work nicely. (done)
MS_John_P
This has been a GREAT chat. Thank you to everyone. Unfortunately, it is time to go.
David_MS
Q: aleksey : Well, When I print normal HTML pages, my browser does not make an additional post request
David_MS
A: if you have images in your normal page, the browser will send one http request per image.
Erik_MS
Thanks everyone! Please visit https://www.asp.net for more info on ASP.NET
MS_John_P
The transcript from today's chat will be posted on https://www.msdn.microsoft.com/chats/
.gif "Top of Page")
Top of Page